Couchbase EncryptionKey issue

Hey! I want to enable local DB encryption on CB lite, but I don’t want to provide plain String password and create EncryptionKey object every time database is initialised. I see two secure options - either generate Keystore entry or generate EncryptionKey and save it in Keystore. Both are impossible to implement. I can’t store EncryptionKey object in Keystore, and Couchbase API does not accept KeyPair/PrivateKey (Keystore entries) as an argument. Am I missing something? What would be the most secure implementation, assuming someone may have access to my physical Android device?

I can’t store EncryptionKey object in Keystore

An EncryptionKey is just a 32-byte blob of data; I’m not an Android developer, but any secure store should be able to handle that. If it only accepts text you can base64-encode the key. Or just create a random 43-character password instead, which would be equivalent.

Couchbase API does not accept KeyPair/PrivateKey

Databases aren’t encrypted with asymmetric ciphers like RSA or Curve25519; that’s not what those are for. Encryption uses a symmetric cipher, AES256, which takes a single secret key.

Hey Jens! Thanks for reply!

To encode object and save it, Object would have to be Serializable (as far as I know EncryptionKey does not implement Serializable for good reasons, it would just simply expose key).

I can create random String password, but I will have to store it and pass it into EncryptionKey constructor every single time I want to initialise database. Which means, I will expose password in plaintext to the memory on more or less regular basis.

The only scenario which seems to me very secure would be auto-generating KeyPair entry in KeyStore and passing down SecretKey to the Couchbase config. This way Key is never exposed in plaintext. But this is not possible with CB Lite 3.1.x.

There is a public constructor that takes a byte array so it’s not true that you’d need to store plaintext. If you want to generate a random byte array of the proper length that would work just as well.

1 Like